CISO members of the Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC) published a white paper to help cybersecurity leaders in retail and hospitality prepare for compliance with the California Consumer Privacy Act (CCPA).

Key recommendations from the white paper:

  • Consider contract language that prevents third-parties from selling personal information sold to them unless the consumer has received explicit notice and has been provided the opportunity to exercise their right to opt-out
  • Consider expanding cookie opt-out functionality to go beyond Interest Based Advertising/Online Behavioral Advertising
  • Geotracking of company vehicles may be considered tracking of consumers
  • Conduct process-centric data mapping identifying all internal and external business processes that process personal information and data flows
  • Establish a governance program
  • Appoint stakeholder(s) to be in charge of CCPA compliance (see photo below for potential candidates)
  • Appoint stakeholder(s) to be in charge of data access/deletion requests
  • Involve stakeholders from all relevant departments
  • Gain buy-in by emphasizing the additional benefits of performing a data mapping/inventory beyond privacy

Read the full white paper.